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Network Device Configuration 

Technical Field 

This invention relates to connecting to the internet via a data connection which 
connection is remotely configurable as to access permissions. The connection may be 
via a modem or via a direct network connection. 

Background Art 

Connection of network devices to a network typically require the attendance of a 
person on site to carry out the initial configuration of the device. For example, 
connection of a users business to the internet for access by internal parties may be by 
ADSL (Asymmetric Digital Subscriber Line) or some other connection protocol. 
Such a connection is typically via an ADSL modem and may include a router to route 
incoming data packets and a firewall to stop attempts to intrude into the users data. 
Typically the configuration of the router and firewall is done on site and will need to 
be changed on site to cater for variations over time in the users business. This 
involves a smaller user in expense as it requires specialised IT personnel to come on 
site to carry out the configuration. 

Connections for higher volume users also typically include routers and firewalls 
connected via a plurality of modems for internet access. Currently these are mainly 
configured on site by the users skilled personnel. It is known, once the initial 
configuration is carried out, that the device may be remotely connected to via the 
network and final configuration carried out. 

Typically such a network device will include an operating system of some sort which 
will be accessible by using an external name and password. Once the correct name 
and password is entered the remote user may modify the device settings, including 
settings for any router and firewall. This provides security problems, since it is 
possible for someone with knowledge of the name and password to alter the modem 
settings without authority. 
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It is therefore an object of the present invention to provide a network device which 
does not require any on site attendance for configuration of the network device but 
which is secure or which will at least provide the public with a useful choice. 

Prior Art 

It is known to provide remotely configured routers to avoid attendance on site, for 
instance US patent US 6,012,088 shows one such router, however such routers may 
provide a security problem in that if access is gained to them from one of the 
. networks the router configuration can be changed, and may be changed in such a 
manner as to compromise security. 

It is therefore an object of the present invention to provide an internet connection 
which does not require on site attendance for configuration of router or firewall but 
which does provide complete security of the configuration or which will at least 
provide the public with a useful choice. 

Disclosure of Invention 

Accordingly, the invention may broadly be said to consist in a network device having 
operating software but no configuration data allowing it to carry out its intended 
purpose which network device is remotely programmable with configuration data as a 
whole but which network device or operating software has no facility to allow any 
incremental change of configuration data. 

Preferably the device configuration data is held in random access memory (RAM) and 
is lost when no network device supply voltage is present 

Preferably the device software contains a routine which on initialisation attempts to 
contact a remote verification authority to authorise retrieval of configuration data 
from a configuration authority. 

Preferably the device software contains only the routine for contacting the remote 
verification authority and receiving data from the remote configuration authority. 
Preferably the contact with the remote verification authority is subject to encryption. 
Preferably the device initially contains an input filter which will only receive 
configuration data from a specified remote configuration authority address. 
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Preferably the device is a router which is integral with a modem. 

Preferably the modem is an asymmetric digital subscriber line (ADSL) modem. 

Alternatively the invention may be said to He in the method of configuring a network 
device which loses its configuration data on power loss comprising providing a 
5 network device without user configuration data, providing within the network device 
a routine which securely contacts a remote verification authority, and downloading 
from a remote configuration authority authorised by the remote verification authority 
the entire configuration data. 

Preferably the network device is a router. 

1 0 Preferably the router is part of an ADSL modem. 

Preferably the network device is capable of being configured only by remote 
download of the complete configuration data. 

Preferably the network device routine which contacts the remote verification authority 
carries out any information transfer using secure encryption. 

1 5 Preferably the secure encryption uses a public key encryption method. 

Preferably the private key for the network device is provided by a device temporarily 
connected to the network device. 

Preferably the temporarily connected device is a USB memory device. 

Preferably the configuration data is also lost from the network device on any intrusion 
20 attempt. 

Alternatively the invention may be said to consist in a method of providing 
communication between two network devices of unknown network address wherein 
each device is required to download its configuration parameters from a server at a 
known network address each time the device is initialised, the devices allocated 
25 network addresses are stored at server, the server may be queried for the allocated 
network addresses of the two network devices, and wherein communications can be 
- initiated between the two network addresses .from, this data. 

Preferably the two network devices are routers. 

Preferably the routers form part of ADSL modems. 
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The invention may also broadly be said to consist in the parts, elements and features 
referred to or indicated in the specification of the application, individually or 
collectively, and any or all combinations of any two or more of the parts, elements 01 
features, and where specific integers are mentioned herein which have known 
equivalents, such equivalents are incorporated herein as if they were individually set 
forth. 



Brief Description of Drawings 

One preferred form of the invention will now be described with reference to the 
1 0 accompanying drawings in which, 

FIGURE 1 shows a block diagram of one form of network device. 

FIGURE 2 shows a flow diagram of the initial mediation procedure which 
downloads to the network device. 



15 Detailed Description 

With reference to Figure 1, the diagram shows a network device consisting of an 
ADSL connection via a modem 101 to a firewall 102 and router 103 which distributes 
the data to devices such as PC's 104. The modem acts to convert packets from the 
firewall router into a form suitable for carrying information over the internet. The 
firewall 102 acts to restrict what information packets may be transferred into the users 
system and the router 103 acts to distribute packets to an internal user in accordance 
with the packet address. 

In practice the modem, firewall and router may be combined into a single item of 
equipment with the configuration data held in a common internal location. 

According to the current invention the modem, or firewall or router, has configuration 
information, which isinternalry held,but this information is not capable of being - 
changed by any routine or subroutine held in the modem. The only way in which this 
information can be altered is to download an updated configuration from a remote 
authority. The only remote authority which the modem recognises are ones which are 
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hard coded into the internal software, and the only action the modem can take as 
regards configuration is to contact the remote authority in a secure manner. This 
action can occur either at power on or if an intrusion is detected, or it can be triggered 
by a specific remote query. 

Thus the modem may have instructions in read only memory (ROM) which instruct it 
to call an address such as 203.17.209.32 upon initial power on, but to otherwise 
provide no routing of incoming or outgoing data packets. Once the designated 
address is called and a verification established for the network device from a 
verification service a secure connection between the modem and the address is set up, 
preferably by the exchange of encrypted passwords through a secure sockets layer 
(SSL), and the modems' required configuration is downloaded from a configuration 
server. This provides the routing configuration required and leaves the modem in a 
secure state. 

The configuration may include any connection data and passwords for connecting the 
modem to an internet service provider (ISP), and the modem may automatically carry 
out the connection once configured. 

Where the connection between the modem and the server is such that it does not 
support full public key encryption the authentication for the modem may be provided 
by a removable key, for instance a USB key. 

Should an attempt be made to configure or reconfigure the modem without using the 
correct encryption from the correct address the modem initialisation software is 
intended to be re-triggered, resulting in a complete download of the required 
configuration. 

Figure 2 shows how the equipment on powering on at 201 searches for an internet 
connection at, and on detecting one sends a particular data stream to the remote 
verification authority at 202, 203 which detects the identity of the calling equipment, 
and from this can look up the customers identity, the equipments current state, and its 
desired state as required by the customer. The remote authority then connects a 
configuration server and initiates the procedure to securely update the equipment at 
204 with the desired configuration changes and with the software required to carry out 
the desired functions. The remote configuration authority can then continue to receive 
operation reports from the equipment at scheduled intervals. 
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In accordance with the present invention the modem, firewall and router are normally 
provided as a single equipment item which may also include a hub or switch. This 
item is installed on the users premises, provided with a connection to the internet and 
powered up. On detecting the internet connection the equipment identifies itself to 
the remote verification authority, the only action it is capable of taking. 
The remote authority will detect the identification of the calling equipment and 
validate this against a database of equipment whose setups are stored. If the 
equipment ID is found the remote authority may then, in secure mode, connect the 
calling equipment to a configuration service and download to the equipment such 
configuration details and software as will allow it to perform the desired 
router/firewall functions. 

Preferably the equipment configuration template is held by the remote authority, who 
may either make changes in it or allow the user to make changes in it via secure 
internet access. Such changes may be downloaded to the equipment in the same 
manner as the initial configuration data, though in most instances the remote authority 
will send a code to the equipment which forces it to reload the configuration. 
The firewall and router may maintain the normal statistics of packets passed, 
addresses sent to or received from, intrusion attempts etc. and may, either on 
prompting or on schedule, send these details to the configuration authority for storage 
and possible analysis. 

The firewall or router may be set up to pass information through desired ports and 
may be set to configure these ports on call. Thus if a client requires a VPN 
connection between two locations which do not have a specific allocated IP address 
(as for instance a small office served by an ADSL without a fixed address) the client 
requests the VPN connection from the remote authority, which will have stored the 
network address of any modem of the inventive type. The remote authority then 
notifies the network devices of the required connection and the devices then create the 
VPN connection. Thus a VPN connection can be established between two modems 
which did not initially know each others addresses.. 

While the invention is described in relation to an ADSL modem the invention is 
equally as applicable to the configuration of a PC, a router of any type, a mobile 
phone or PDA or other similar equipment. 
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Industrial Applicability 

The invention is applicable to the guaranteeing of the configuration of a network 
device, to prevent the compromising of data passing through that device, or the 
extraction of data in an unintended manner by that device. 

Thus it can be seen that at least the preferred form of the invention provides an item of 
equipment which can be remotely configured for network device set up purposes. 



